Zero-Day IE Exploit Takes Control of PCs

anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."

This is why...

[wpiman]

I use Firefox.

Re:This is why...

[msdschris]

I use telnet and render the HTML mentally.

Re:This is why...

[Scoth]

You say that in jest, but imagine the possibilities for exploits when/if we get the point of direct neural implants for communications and such. Just imagine, instead of porn popups, lockups, and reboots we'll have people suddenly yelling about viagara at the top of their lungs, freezing up and falling over mid-stride, and suddenly forgetting where they are.

Maybe anyway :)

Re:This is why...

You've met my grandfather, I take it.

Re:This is why...

[andreMA]

Two of those three would apply to the current crop of US politicians. All three if you count Bob Dole.

Re:This is why...

[HairyCanary]

Yes, the FF r0x0rs comments are redundant. Even more so are the responses to those comments that suggest that FF crashing has anywhere even approaching the same level of impact as an IE exploit that allows remote control to be taken of the affected computer.

Re:This is why...

[lordofthechia]

"I use telnet and render the HTML mentally."

You get used to it. I don't even see the code. All I see is blonde, brunette, redhead.

Re:This is why...

[lordofthechia]

I phone the webmaster and ask him to read me the webpage.

Re:This is why...

[OakDragon]

There is an exploit that my computer suffers from every day. It's called the 'Slash.ORG' worm, and it doesn't matter what kind of browser you use. Once the browser navigates to a certain website, it tends to stay there, refreshing as needed. It's called a DoPE attack, or 'Denial of Productivity for Employer.'

Re:This is why...

[orangesquid]

Why not just put your IE and web stuff in a special subtree and chroot before fork+exec'ing?

Oh, wait, does windows even have anything like that...?

I'm not trying to start a flame war, I'm honestly wondering.

Re:This is why...

[zachdms]

Check out DropMyRights - should be exactly what you want.

Ouch.

[Pxtl]

Remember when web browsers were just for viewing HTML pages, and not as a platform agnostic instant-rollout applications platform?

Yeah, me neither.

Re:Ouch.

[TheRealMindChild]

DOH! http://validator.w3.org/check?uri=http%3A%2F%2Fwww .comm.utoronto.ca%2F%7Eeckford%2F
 
  Result: Failed validation, 7 errors

And as usual...

[Billosaur]

From eWeek: The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.

Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

Re:And as usual...

[meringuoid]

Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

This kind of thinking is extremely $sys$profitable irresponsible.

Re:And as usual...

[zootm]

This kind of thinking is extremely $sys$profitable irresponsible.

My god, Sony have provided a viable Windows alternative to the old ^W^W^W^W *nix joke... it's worse than we thought!

Re:And as usual...

[mazarin5]

My god, Sony have provided a viable Windows *nix joke

Huh?

Re:And as usual...

[Ibix]

This kind of thinking is extremely $sys$profitable irresponsible.

"I have seen the fnords..."

I

Is there a tenor in the house?

[MikeMacK]

The SANS ISC's Ullrich said IE users should consider switching to Firefox of Opera.

Ah, the Firefox of Opera - who is that, Pavarotti?

This is why...

[MartinG]

I use netcat.

Thank you

[steveo777]

Now that you've read the comments, your Windows box belongs to OSTG. Please stand by while we load Linux.........

Give it 5

[intmainvoid]

We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time

Well, there might be no customer impact at this time, but seeing as the exploit is published now, can I ask you again in about 5 minutes?

Re:Give it 5

[intmainvoid]

Have you had a look at the source on a slashdot page recently?

        _uacct = "UA-32013-5";
        urchinTracker();

This is why...

[BushCheney08]

I don't browse the web.

I hope this gets into a doubleclick ad

[WhiteWolf666]

/evil on

That'd be SO funny

Someday, an IE exploit is going to come along that wipes your HD. Then we'll see sparks fly. /evil off

Re:I hope this gets into a doubleclick ad

[Xarius]

I know he's considered as a bit of a prick, but ESR explains exactly why this would be one of the worst things that could happen here.

Make of it what you will.

good example of why Microsoft is bad at security?

[diegocgteleline.es]

This exploit exploits a vulnerability on a already found denial-of-service attack which Microsoft classified six months ago as "low-priority"...

Re:...or by not using Internet Explorer

[dwandy]

IE's market share is still huge, but for the life of me I can't understand why.

Take Preinstalled Browser,
Add to Lazy User,
and mix in a healthy dose of Ignorance.

Alternate Receipe:
Take Preinstalled Browser,
Add Fear Of Change.

Despite having Firefox installed at home, my wife insists on MSExploder .... I think the linux migration time-table is getting shortened.

Re:The facts please

[Prospero's+Grue]

On story like this, we need the facts, period. No hype, rhetoric or personal opinions. Only the facts please, because I know members are going to tout the "other browser" as the safer one.

Now, mod me whatever you want, but the info you provide should be FACTS.

Fact: A critical security flaw has been found in IE, and the SANS ISC is recommending that people use one of the "other browsers".

Howzat?

This code

[paranode]

Will DOS Firefox. Not as bad as an exploit but they have issues to fix as well.

Gah!

users do, but they're much further down the food chain

Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.

we'll get the usual set of arguments about browser and OS supremacy.

If something has fewer security problems, isn't it "superior" in that respect?

If you can't trust Lynx to be secure, then really nothing is secure.

Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.

What an inane comment.

lazy story submitters

[mapmaker]

Aparently all you have to do is browse the page to be affected.

What, no link?

Re:Link to a copy?

[tomasvilda]

Here you can test an exploit on IE: http://www.computerterrorism.com/research/ie/poc.h tm -- http://tvilda.stilius.net/

Thank you

[nealfunkbass]

The holidays are a time for giving.

Now that you've RTFA, and you are now looking at the comments page, the staff of Slashdot and EWeek would like to thank you for visiting our web pages and giving us full control of your windows PCs.

Happy Holidays!

MS anti-spyware utility will stop this

[digitaldc]

I am pretty sure MS anti-spyware will stop this from launching

Hmm....

[Lonath]

Isn't Google's master plan to take over the world dependent upon people using AJAX? If IE has a critical flaw using javascript, and everyone has to turn it off, then nobody will be able to use Google's new products and... Hey wait a minute.

Re:...or by not using Internet Explorer

[Darth+Maul]

but for the life of me I can't understand why.

It's very, very simple. People are stupid and lazy.

Lynx

[Frankie70]

To be honest, I found it more of a shock that Lynx has a security flaw.

Why? I haven't looked at Lynx recently, but Lynx used to be a very insecure
browser - Lynx code had lots & lots of Buffer Overflows.

Re:Opera affected too?

[porneL]

Not affected. I've tested <body onload="window();"> and nothing happens besides JS console logging "Statement on line 1: The Object does not implement [[Call]]".

Re:Duh! (+1, informative)

[Omega697]

What he meant was that there were 4 ^W's and when you erase 4 words you wind up with the nonsensical statement in his post.

Re:...or by not using Internet Explorer

[dallask]

solution:
Buy sony cd,
install rootkit
rename Explorer to $sys$explorer.exe

Re:Say goodnight, AJAX

[ptomblin]

So? When 90% of your "customers" are being told that they either turn off Javascript or get a virus, it doesn't matter whether the problem is with Javascript or IE - either way, there is no return for adding AJAX features to a web site. I'd rather spend my precious development resources on non-AJAX features that benefit everybody.

Re:...or by not using Internet Explorer

[GweeDo]

Despite having Firefox installed at home, my wife insists on MSExploder

I don't understand this. You aren't the first person to tell me their Wife doesn't wanna run Firefox. You know what I did. I said to my wife "Wife. IE will break the computer and then I will have to spend all night fixing it rather than doing whatever else it is you wanted me to do.". My wife actually respects that I know what the crap I am talking about (just as I respect what the crap she is talking about in her area of expertice...which isn't IT) and goes with what I say.

Why don't you people just try explaining the problems to your wife and get over it?